Vulnerability Title: Ilevia EVE X1/X5 Server 4.7.18.0.eden Authenticated Remote Command Injections Advisory ID: ZSL-2025-5966 Risk Level: 5/5 (Critical) Vulnerability Type: Local/Remote Impact: System Access, DoS Release Date: 13.11.2025 Summary The advisory describes vulnerabilities in the Ilevia EVE X1/X5 Server that allow for authenticated remote command injections, potentially leading to system access and Denial of Service (DoS). Description The EVE X1/X5 server is vulnerable to multiple authenticated OS command injection vulnerabilities. These can be exploited to inject and execute arbitrary shell commands through multiple parameters. Affected Version <= 4.7.18.0.eden (Logic version: 6.00) Tested On GNU/Linux 5.4.35 (armv7l) GNU/Linux 4.19.97 (armv7l) Armbian 20.02.1 Buster Apache/2.4.38 (Debian) PHP Version 7.3.31 Vendor Status 01.05.2024: Vulnerability discovered. 06.05.2024: Vendor contacted. ... (Timeline of interactions with the vendor) 13.11.2025: Public security advisory released. Proof of Concept Credits Vulnerability discovered by Gjoko Krstic References 1. Vulncheck 2. CVE 3. Packetstorm